On 14 March 2023, the Romanian DPA announced it sanctioned an electric energy supplier with a EUR 3,000 fine for failing to implement adequate technical and organizational measures to ensure a level of security appropriate to the processing risk.
The investigation was initiated following the receipt of a data breach notification lodged by the said controller.
During the investigation, the Romanian DPA found that the data breach occurred through unauthorized access to the controller’s e-mail server. This led to a breach of confidentiality that affected personal data such as name, surname, e-mail address, personal numerical code (“CNP” in Romanian), telephone numbers, and household addresses.
The press release is available here (only in Romanian).
